Author: jezdez
Date: 2011-06-26 09:52:01 -0700 (Sun, 26 Jun 2011)
New Revision: 16458
Modified:
django/trunk/django/core/signing.py
Log:
Fixed #16285 -- Removed a misleading comment from the signing code, thanks
PaulM.
Modified: django/trunk/django/core/signing.py
===================================================================
--- django/trunk/django/core/signing.py 2011-06-26 16:51:54 UTC (rev 16457)
+++ django/trunk/django/core/signing.py 2011-06-26 16:52:01 UTC (rev 16458)
@@ -96,8 +96,10 @@
save some space. Prepends a '.' to signify compression. This is included
in the signature, to protect against zip bombs.
- Salt can be used to further salt the hash, in case you're worried
- that the NSA might try to brute-force your SHA-1 protected secret.
+ Salt can be used to namespace the hash, so that a signed string is
+ only valid for a given namespace. Leaving this at the default
+ value or re-using a salt value across different parts of your
+ application without good cause is a security risk.
"""
json = simplejson.dumps(obj, separators=(',', ':'))
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
